Post navigation

Of all the adversaries facing the US in cyberspace, there is one that the FBI and CIA often seem to struggle to contain.

It’s not a nation state hacking group such as Fancy Bear, APT 1 or Lazarus Group, but a group whose resourcefulness, determination, and ability to think creatively can prove to be every bit as big a handful – teenagers.

The latest relates to the appropriately-named Kane Gamble, who last October pleaded guilty to leading the ‘Crackas With Attitude’ (CWA) group that launched a series of innovative attacks on senior US government figures between June 2015 and his arrest in February 2016.

Next on the list were then-FBI deputy director Mark Giuliano, special FBI agent Amy Hess, secretary of homeland security Jeh Johnson, deputy national security adviser Avril Haines, and senior science and technology adviser, John Holdren – to name only a few.

He listened to numerous voicemails, sent text messages from Jeh Johnson’s phone, and even remotely accessed his internet-connected TV to post the message “I own you.”

What stands out is not only the campaign’s success but a disarmingly simple MO that holds a big warning for organisations everywhere.

Far from using advanced hacking, Gamble simply phoned up help desks for broadband services and utilities using public numbers, convincing staff they were speaking to the target as a way of gaining access or resetting accounts.

The security that should have stopped the group – answering personal security questions – didn’t.

As prosecuting QC John Lloyd-Jones put it:

The group incorrectly have been referred to as hackers. The group in fact used something known as social engineering, which involves socially manipulating people – call centres or help desks – into performing acts or divulging confidential information.

If a few teens can talk their way into the accounts of high-profile targets such as the head of the CIA, what chance would the average organisation or citizen stand? It’s a chink in the armour of authentication every organisation should assess.

Two Sophos experts recently spoke about the threat of social engineering in a Facebook Live chat. It’s worth a watch to learn more about the problem, and find out how to fight back against social engineers.

5 comments on “How a teen used social engineering to take on the FBI and CIA”

1. I hope he doesn’t get into to much trouble (unless he put people in danger).
2. The stunt of “accessed his internet-connected TV to post the message “I own you.”” is kinda cool.
3. If he had put “All your base are belong to us” he would be immortalized (for a week).